-
Notifications
You must be signed in to change notification settings - Fork 10
Collection Modules
Scott Sutherland edited this page Mar 18, 2022
·
23 revisions
Collection modules are used query data from target systems. They typically target a single data source. Below is a summary of the currently supported collection modules.
Module Name |
Mitre ATT&CK ID | Module Description |
Collection Method |
---|---|---|---|
collect-tasks | T1053.002 | Collects Windows scheduled task information. | Get-ScheduledTask |
collect-services | T1569.002 | Collects Windows service information. | Get-WmiObject -Class win32_service |
collect-wmi-providers | T1047 | Collects WMI provider information. | Get-WmiObject -Class __Win32Provider |
collect-wmi-subscriptions | T1546.003 | WMI Subscriptions | Collects WMI subscription information. |
collect-startup-files-allusers | T1547.001 | Collect information from all users startup folders | $env:ALLUSERSPROFILE\Microsoft\Windows\Start Menu\Programs\StartUp\ |
collect-startup-registry-run | T1547.001 | Collect information from registry run keys | HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ |
collect-installed-software | T1505 | Installed Software | Get-Software |
collect-named-pipes | T1570 | Collect information from named pipes | Get-ChildItem \.\pipe\ |
collect-events-4732 | T1136.001 | Event 4732 | Collect information from 4732 events (member added to security-enabled local group) |
collect-events-1102 | T1070.001 | Event 1102 | Collect information from 1102 events (audit log cleared) |
collect-process | T1057 | Collects list of running processes. | Get-WMIObject Win32_Process |
All collection modules are automatically loaded from the windows\modules\collection folder and ran against established PowerShell Remoting systems. You can add your own there and they will be run automatically.